At the end of June, online ticket company Ticketmaster confirmed that Inbenta, a third-party website supplier, suffered a security incident. However, researchers now reveal it was more complicated than it appeared, and definitely not a one-time attack, reported RiskIQ.

Investigations show it was part of a highly sophisti
cated scam that targeted 800 e-commerce sites worldwide. The hackers responsible go by the name Magecart, a group of digital card skimmers with an elaborate technique: attacking companies that integrate their software with Ticketmaster and replace their javascript modules with malicious code designed to steal payment information. For example, Inbenta’s javascript module was compromised in this scam campaign. Besides its UK site, a number of Ticketmaster websites were affected, including sites from Ireland, Turkey and New Zealand.

“Ticketmaster Germany, Ticketmaster Australia and Ticketmaster International (previously mentioned in the Inbenta breach) were also compromised via another completely different third-party supplier of functionality,” the firm said.

It seems website hacking has lost its glory and Magecart is a group that researchers are familiar with, having expressed concern about them in the past. The breach affected other providers including a
social media integration company, a web analytics company and a CMS platform. According to research, the hackers have been sending the skimmed payment details to a server from as early as December 2016

“Our investigation following the Inbenta breach uncovered evidence that the Inbenta attack was not a one-off, but instead indicative of a change in strategy by Magecart from focusing on piecemeal compromises to targeting third-party providers like Inbenta to perform more widespread compromises of card data,” analysts wrote.

A Harrisonville, Missouri-based hospital has been forced to shut down some operations and divert patients after a ransomware attack on its infrastructure and electronic health record (EHR) vendor.

Ransomware operators have shifted focus from the consumer segment to the more lucrative business sector. In recent months, bad actors have acquired a specific taste for healthcare providers.

Earlier this week, Cass Regional Medical Center – a hospital in Harrisonville, Missouri – posted a notice announcing it has fallen victim to a ransomware attack. The incident is only the latest in a long string of ransomware attacks targeting the healthcare industry in the past 12 mon
ths.

“At approximately 11 a.m. this morning, Cass Regional Medical Center became aware of a ransomware attack on its information technology infrastructure,” reads the notice, posted by the hospital on Facebook. “Affected areas include internal communication systems and access to the organization’s electronic health record (EHR). At this time, there is no evidence that patient data has been breached, but as an extra precaution, Meditech, the hospital’s EHR vendor, has opted to shut down the system until the attack is resolved.”

Hospital leaders
hip was prompt in responding to the attack. Within half an hour of the first signs of attack, patient care managers reportedly met to devise a plan to continue to tend to patients safely and effectively. The IT department, meanwhile, called on law enforcement and cybersecurity experts to take steps toward mitigation.

To ensure optimal care for its patients, clinical leaders have decided to go on “ambulance diversion” for trauma and stroke emergencies, according to the notice. “Hospital personnel will continue to evaluate the situation and respond accordingly,” Cass Regional Medical Center said.

Details about the ransomware strain used by the attackers were not available at press time.

A German web-hosting firm has suffered a severe data breach because one of its employees reportedly owed money to the attacker. The company only learned of the breach when the hacker announced it himself, on its support forum.

However, the company and its customers only learned of the breach six months later, on July 3, when he made an entry on the DomainFactory support forum to break word of his deed. As proof, he published the data of a number of customers for everyone to see.

The reason beh
ind the attack, according to German news outlet Heise Online, was to obtain the credentials of an employee who owed the attacker money. When he noticed that DomainFactory was reluctant to acknowledge the breach, he decided to make it public.

DomainFactory’s explanation, however, differs a bit. In a forum post, the web hosting firm explains (machine-translated from German):

“The result of an initial investigation was that after a system change that took place at the end of January, certain customer information was unintentionally accessible to third parties via a data feed. This data feed was triggered when customers made changes to their DomainFactory accounts, but they caused system errors when they were saved.”

DomainFactory said it quickly shut down the forum to prevent further access to the leaked data. The firm then hired an unnamed security company to focus additional resources on mitigation.

The firm urges all customers to change their DomainFactory passwords as soon as possible. These include customer passwords, phone passwords, e-mail passwords, FTP / live disk passwords, SSH passwords and MySQL database p
asswords. Detailed instructions on how to do that can be found here: blog.df.eu/pw.

Yesterday Apple released a brace of updates for its software – fixing bugs and patching security holes in the likes of MacOS, watchOS, tvOS, Safari, iTunes for Windows, iCloud for Windows, and iOS for iPhones and iPads.

The update for iOS, bringing it to version 11.4.1, is particularly interesting as it includes a new feature – “USB Restricted Mode.”

USB Restricted Mode is designed to disable an iPhone or iPad’s Lightning port, preventing it from transferring data, one hour after the device was last locked.

You can still charge your device after its Lightning port has been disabled, but you need to enter a smartphone’s password if you wish to use the port to transfer data to an
d from device.

“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked.”

“If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the pa
st hour — your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”

Which sounds, of course, like bad news for law enforcement and intelligence agencies who may want to crack into a locked iPhone using tools like GrayKey. GrayKey, and similar tools, use the Lightning port to help anyone with physical access crack their way into a locked device – without having to manually guess the passcode.

Unfortunately for Apple, and customers who like to believe that their phone is private, a workaround has been discovered whereby police could prevent an iPhone or iPad entering USB Restricted Mode if they act quickly enough.

Researchers at Elcomsoft discovered that the one hour countdown timer can be reset simply by connecting the iPhone to an untrusted USB accessory:

“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.”

And where might you find such a compatible USB accessory that can prevent USB Restricted Mode from kicking in?

Look no further than Apple’s own online store, where the company will happily sell you a Lightning to USB 3 Camera Adapter for a mere $39. Chances are that there are even cheaper accessories which will do the job just as well.

Apple has successfully made the window of opportunity smaller for anyone (whether they be a member of law enforcement or not) to crack into an iPhone, but this discovery means that they have not closed it completely.

Apple will need to
continue to strengthen the security and privacy of its mobile devices if it wishes to maintain its edge over many Android smartphones. Nice try with iOS 11.4.1 Apple, but we need you to do more.

Data collected by smartphone app Timehop on its entire customer base of 21 million users was compromised following a security incident, the company confirmed on its website on July 4.

According to their statements, the breach was detected within two hours and 19 minutes, while the attack was still in progress, and only some user data was compro
mised, including names, emails, a few phone numbers and access keys that linked user social profiles to Timehop.

What led to the breach was a vulnerable cloud computing environment with an account that lacked two-factor-authentication.

“The breach occurred because an access credential to our cloud computing environment was compromised,” reads the statement. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

The company assures account holders that no messages, financial data, photos or social media posts were compromised in the breach.

“To reiterate: none of your ‘memories’ – the social media posts & photos that Timehop stores – were accessed,” Timehop said. “We have no evidence that any accounts were accessed without authorization.
”

Access keys were deactivated and users logged out of their accounts as a preventative measure. The company is collaborating with law enforcement and security experts to reduce impact. Also, they assure users that none of their credit card or financial data has been stored on their servers, nor location data, IP addresses or copies of their profiles and content.

Timehop is a memento collector, it mines user photos and posts from social networks and from Dropbox and resurfaces them online.

Leveraging customer data is the lifeblood of today’s digital economy, but regulations like the EU’s GDPR threaten to make it difficult to mine this precious “ore.” Businesses still have a few options at their disposal, if they are to continue to sell their services – and stay competitive.

A poll of 11,474 consumers commissioned by market intelligence consortium DMA has revealed that 51% are more than happy to hand over their personal data to businesses that can offer a clear benefit in exchange.

Another important demographic is the “data unconcerned” (26%), described by the surveyors as those who do not mind how and why their data is used. The remaining 23% are the so-called “data fundamentalists,” or those who never share their data for any reason.

Countries with the most data pragmatists include Spain (59%), USA (58%) and Singapore (57%), while data fundamentalists are mostly found in Australia (27%), The Netherlands (26%), and Germany (26%). However, these countries also house a sizeable
proportion of data-unconcerned folk (Netherlands 35%, Germany 34%, Argentina 29%).

“We are in a new era of data privacy,” said Chris Combemale, Group CEO of DMA. “Questions have been raised about whether major data breaches and increased talk about the value of our personal data is impacting consumer anxiety over how their information is used. In fact, our research shows that even though consumers are more aware than ever and have concerns about their online privacy, the majority will continue to share their personal information if they trust the organisation and gain something in return.”

Respondents further revealed that they place great importance on transparency (86%), simple terms and conditions that they can properly interpret and understand (84%), and flexible privacy policies (82%).

On a global level, 83% of consumers would like more control over their data, and 49% named “trust” as the most important factor when deciding w
hether to hand over their data to an organization.

“Globally, the majority of consumers are pragmatists – willing to share their data so long as there is a benefit. Trading data is a common desire amongst consumers and data as a commodity will become more important for companies in the years to come,” reads the report. “However, ensuring that your organization is transparent, with its customers in how data is used and stored, together with putting them in control of their own data, is key to building trust with consumers and making them comfortable with data sharing. This can build a solid platform for the future of data economy, bringing benefit to consumers and businesses alike.”

US is the most vulnerable nation to attacks; White House working on executive order for agency CIOs

Enterprises are not the only ones at risk when it comes to cyberattacks. Government institutions can also fall victim to a nation-state attack at any time. Digital frameworks are still very vulnerable and, quite surprisingly, the US has been declared the most vulnerable nation by Rob Knake, the official in charge of the country’s cybersecurity policy during Barack Obama’s administration.

“We are going to be less reactive to incoming cyberattacks because we have more to lose and we’re in a democratic society that is going to force government to take certain responses,” Knake said at the Council on Foreign Relations. “That’s not true of China, Russia, Iran or North Korea.”

While the Obama administration allegedly carried out the famous Stuxnet attack on Iran’s nuclear program, it has been accused of introducing a rather laid-back approach to cyber policy. The Donald Trump administration wants to release an executive order to redefine the role of agency CIOs, as part of an IT modernization strategy.

The bizarre twist is that the executive order they’re working on will not include CIO authorities in the Defense Department, although Congress has been pushing to redefine CIO authority and responsibilities to make them more strategic and aggressive. According to the Defense Authorization Bill signed this year by President Donald Trump, the CIO has to be appointed by the president and confirmed by the Senate. It’s still unclear why the Defense Depar
tment has not been included.

Former officials have anonymously commented on the executive order which, in their opinion, brings few additions to other plans that have been presented in the past 15 years.

By enforcing the executive order, the administration’s goal is to enhance “the management and oversight of federal IT by designating the chief information officer of each covered agency as the primary point of responsibility and accountability for management of IT resources within that agency. The agency chief information officer should be the key strategic advisor to the agency head concerning the use of IT to accomplish the agency’s mission, reduce cybersecurity risks, and improve efficiency,” the draft EO states.

“Consistent with statute, the agency chief information officer should play a central role in all annual and multi-year planning, programming, budgeting, acquisition, and oversight processes related to IT. As such, the agency
chief information officer should establish an enterprise wide technology roadmap and govern its execution. This requires the latitude to operate across agency component organizations and to drive the enterprise wide consolidation and modernization of the agency’s IT portfolio.”

A flaw detected by users in the pre-installed Samsung Message App on Samsung Galaxy phones causes the app to forward random user photos to arbitrary contacts without the user’s knowledge, according to discussion threads on both reddit and the manufacturer’s forum.

“The Samsung Messaging has become VERY BUGGY after the RCS / Advanced Messaging Update on T-Mobile,” a user wrote on the company’s forum.

“1. I have only noticed the issues when scheduling SMS/MMS.

The recipients are not on any specific plan or carrier that I can tell.

They are all my contacts. All my contacts are stored in / synced with Outlook Exchange.”

Another customer said on reddit that “S9s have been sporadically sending the entire contents of one’s
gallery to a contact via SMS, and it doesn’t show up on your side. Might be worth checking logs on your carrier’s site, because it happened on my T-Mobile Note8.”

Because there is no history to confirm the images were sent, users only find out about the error if a contact replies with questions about the odd photo. The phone sends out not only pictures from the image gallery but also other images, such as emojis, from the smartphone’s internal memory.

According to forum statements, the flaw affected only users who have just updated the app, and since they haven’t experienced a similar issue on the Samsung Galaxy 7, they concluded it was a software flaw, and not a mobile operator error, as was initially suggested by a customer support representative from Samsung.

Owners of Samsung Galaxy phones such as S9, S9 Plus and Note should postpone the update. As the manufacturer has been informed, it is probably working on fixing the bug.

Flash Gordon (@s7nsins), a mysterious Twitter user based in New Zealand, announced in a tweet that the US Department of Homeland Security’ Immigration and Customs Enforcement (ICE) sent Twitter an export enforcement subpoena in April to disclose the real identity of the person behind the account.

ICE demanded private information such as na
me, address, phone number, credit cards linked to the account, IP address history, complaints filed against the account and any other information that might lead to identifying Flash Gordon. Private messages and similar content were not requested, as a court order is necessary.

Following its guidelines and policies, Twitter informed the user of the legal request. Flash Gordon received
legal assistance from the Electronic Frontier Foundation and the subpoena was unsuccessfully challenged on June 20.

The reasons behind the demand were not explained, but ICE could be interested in uncovering the person’s identity because the account has regularly released information about data breaches and leaked information found on unencrypted servers.

In the past, Flash Gordon reported finding an inventory of nearly 1 million patient records stolen from HealthNow Records, a medical telemarketing company based in Florida. The database was
located on an Amazon Web Services server via Shodan and included sensitive personal and health information of senior patients with diabetes, including Social Security Numbers, health insurance data and names.

Flash Gordon recently revealed another leak, this time related to the cache of law enforcement data by ALERRT, a company that trains police and civilians to respond against shooters. The leaked cache revealed which police units in Texas lacked resources to react to active shooter situations.

Ticketmaster has warned customers that their personal information may have been compromised, after malicious code was discovered running on its website.

Up to 40,000 UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 are thought to be affected. In addition,
international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018 may also be at risk.

Which is all bad news of course, but how did the breach happen in the first place?

It appears that the malware was introduced to Ticketmaster’s site via a piece of external third-party code from Inbenta, a technology company that provides online chatbot and support ticketing services for websites.

As soon as Ticketmaster recognised the issue it disabled Inbenta’s code across all of its websites.

In a statement, Inbenta said that the source of the data breach was a “single piece of Javascript code” that had been customised specifically for Ticketmaster’s purposes. The code, Inbenta says, it is not in use on any other company’s websites.

Inbenta says it has now resolved the vulnerability, but not before attempting to pass some of the blame onto Ticketmaster for using its risky code on a payment page:

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between Febr
uary and June 2018.”

Although it’s obviously trying to pass the buck, Inbenta certainly has a point. Embedding third-party Javascript onto an online payments page introduces risks. After all, if the third-party code gets compromised there is a danger that online criminals could use it to secretly steal payment card information.

Ticketmaster says that it has emailed all customers who it believes are affected by the security incident, and is offering 12 months’ free identity monitoring for those who have been impacted.

Potential victims are also advised to keep a close eye on their bank account transactions for signs of suspicious activity.

But aside from the financial risks, Ticketmaster customers would also be wise to look out for phishing scams, where an attacker might exploit the situation by sending out bogus emails purporting to come from the company.

Curiously, digital bank Monzo claims that it warned TicketMaster that
data had been compromised three months ago, in early April. In a blog post, the firm says that it met with members of Ticketmaster’s security team on 12 April, and were told that an internal investigation would take place.

“Over the course of Thursday 19th April and Friday 20th April, we sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster. We let them know that we were replacing their cards through their Monzo app, but didn’t name Ticketmaster as the reason at the time.”

“Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

And yet Ticketmaster’s official statements say that it only discovered it had a serious security issue on June 23rd.